License

A Hackable Hole in BuddyPress

Mainly documenting this just so I will have it somewhere I can find it easily, but maybe it will help others, too.

On the Macaulay Eportfolio system we do not restrict account creation by email domain (since we want our students to use whatever email address they want). Instead we use a shared codeword which only our students have. Without that codeword, you can’t create a new account.

This completely shuts down spam blog or account creation (comment spam is a separate issue), but still makes the process easy and open enough for large numbers of students to create (legitimate) accounts whenever they want to from a wide variety of different email addresses and campuses.

But I noticed that every time I upgraded BuddyPress, within 10 or 12 minutes, spam accounts would start flooding in.

The reason is that BuddyPress contains a lurking little file which does NOT respect the codeword restriction. And spambots seem to be scanning for and targeting that file ALL the time.

In the BuddyPress directory, in bp-templates/bp-legacy/buddypress/members there’s a file register.php . And that file is a wide-open invitation to splogs and splusers. Spammers. Bots. They flock to it.

So every time I update BuddyPress, step number one right after the update is to delete that file. I write this to myself…to remind myself to do that, and to remind myself where it is.